Brainstorming tool availability

Hello community,

I currently work as a Cybersecurity Consultant and have almost 30 years of experience in the IT industry in a variety of fields and positions. I have always tried to instil a threat modelling mindset in both myself and my clients.

I am reaching out to brainstorm potential ideas and tool-based approaches to a very ‘specific’ challenge - one that may also be relevant to a wider audience and context.

We are looking at a critical infrastructure provider in the midst of various transition/transformation projects, while at the same time facing EU NIS2 compliance. Bear with me: the enquiry was for “something with threat modelling” - the message was relayed by the sales team as I am often the go-to resource for arcane enquiries from high profile clients.

I met with one of their group CISOs and SMEs from their cyber team - here is what they are actually looking for: a tool/solution that helps with risk-based ad hoc infrastructure configuration management - with a dash of threat modelling.

Yes, I also started to roll my eyes when I heard that - but as the discussion progressed, we arrived at a potential POC idea/sample use case:

• business/infrastructure team requests a firewall rule
• Tool] assesses risk/threat profile of said request against technical configuration requirements/constraints, general cybersecurity policies and last but not least NIS2 compliance criteria/controls.
• [Tool] generates a pre-assessment in a ‘management-ready’ format/language and allows for further wizard-like exploration, justification, etc.

I have reviewed various continuous control/compliance management, risk management and related vendors - to no avail. Personally, I am exploring the feasibility of AI (LLM, KG, RAG combined with more traditional approaches) in the context of risk/threat modelling - but before I propose that route, I wanted to check if any of you have come across a similar request and/or perchance seen tooling that offers said “portable cyber/risk officer in a box” functionality, at least on paper =].

Thank you for reading until here - looking forward to your feedback/ideas!

Cheers,
Daniel

Extrahop an ndr/npm tool does what if modelling. It maps out the network and takes in vulnerability info from other tools to provide impact analysis and detect chained vulnerabilities. Might be worth exploring.

It’s my experience that the more specific your requirements the less likely you are to find a tool that meets those requirements. This usually means people have to entertain the ‘tool of last resort’, which is obviously Excel (or your favourite spreadsheet).

To be fair, in threat modelling terms you have a security model you want to use - technical configuration requirements/constraints, general cybersecurity policies and NIS2 compliance criteria/controls - so if you can crunch that model into a set of simple questions captured in a spreadsheet, you have a tool. No doubt the thought has crossed your mind. I do like the idea of using AI to create a “management-ready” format from the spreadsheet.

Only slightly better (less worse?) is to do a more formal review of the first couple of requests that come through, and attempt to establish “profiles” for the type of firewall change requests coming through e.g. based on network location, port, target system risk profile etc. Then when similar requests come in you can lean on those more formal reviews as justification for decisions or appropriate additional controls required. This may not be practical in your situation and you do have to worry about ‘drift’ of approved requests from the baseline reviews.

The only other qualities I would try to ensure any solution has would be to ensure the decision process is repeatable (2 different people following the process will get the same result) and ensure the output is in a standardised format (let’s you feed the output into something else to improve the process in the future).

Sorry I don’t have any more insightful ideas, but maybe something here helps confirm your own ideas on what a practical approach might be.